Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The package.json includes a preinstall script that executes node setup_bun.js, which is highly unusual and a potential entry point for malicious code execution before installation. Furthermore, both bun_environment.js and setup_bun.js files trigger the bash_persist_persistent YARA rule, indicating access to multiple bash startup files, a common persistence technique used by malware. The combination of these factors strongly suggests malicious intent.